A Portable Computer Security Workshop

Transcription

1 A Portable Computer Security Workshop PAUL J. WAGNER AND ANDREW T. PHILLIPS University of Wisconsin Eau Claire We have developed a computer security workshop designed to instruct other post-secondary instructors who want to start a course or laboratory exercise sequence in computer security. This workshop has also been used to provide computer security education to IT professionals and students, and has been effective in communicating basic computer security principles as well as an understanding of some of the significant tools and techniques that have been developed in this area. Evaluation of the workshop has been very positive, and we will be offering the workshop locally, regionally and nationally in the next year as well. The materials from this workshop are available at Categories and Subject Descriptors: C.2.0 [Computer Communication Networks]: General, Security and Protection; D.4.6 [Operating Systems]: Security and Protection; K.3 [Computing Milieux]: Computers and Education General Terms: Management, Security Additional Key Words and Phrases: Computer Security, Portable Workshop, Laboratory Exercises 1. INTRODUCTION The last five years have seen a large growth in the demand for computer security and information assurance education [Martin 2002]. This is reflected both in the growth of computer security programs at the university level and the increased emphasis on and funding for security education through programs like the National Science Foundation s (NSF s) Federal Cyber Service: Scholarships for Service (SFS) program [NSF 2005] and the National Security Agency s (NSA s) certification of the Center for Academic Excellence in Information Assurance Education (CAEIAE) program [NSA 2005]. As part of this increased emphasis, many universities, including ours, have looked for ways to add or expand education relating to computer security. At the University of Wisconsin Eau Claire, we have chosen a multipronged approach, involving the development of two courses (CS 370, Computer Security, and CS 491, Cryptography and Network Security), and a variety of course modules that can be plugged into other courses to introduce security-related topics, and a laboratory that supports our Computer Security course and the exercises used therein. The Computer Security course contains a combination of theory and practice (through weekly writing or hands-on laboratory exercises), and culminates in an attack/defend exercise, which we have described in [Wagner and Wudi 2004]. After developing the courses, modules, and laboratory environment, and after working to disseminate the results of our work, we realized there was a further need to teach the teachers i.e., to find ways of passing on computer security and information security content to other university instructors as well as to system administrators and security professionals. We have developed a two-part, six-hour workshop that provides lectures and hands-on exercises in a variety of core computer security issues. Our primary goal is to educate new computer security instructors, and we view such instructors as our primary target audience. Indirectly, our goal is to enable instructors to develop their own courses and laboratory exercises, passing on this information to computer science students.

2 Such students are our secondary (and indirect) target audience. However, we also realized that there is a need for computer security education for current system and security professionals, and conclude that our workshop can meet this need as well. As such, system and security professionals are our tertiary target audience. The hands-on exercises are accomplished on an isolated portable network of laptop computers, running both the Windows and Linux operating systems as virtual images using the VMware virtual machine software [VMware 2005]. Similar to our Computer Security course, the workshop culminates in a cyberwar exercise, but here the participants harden their systems and are subjected to a series of common attacks by our systems staff in an attempt to synthesize knowledge regarding information gathering, vulnerability assessment, system hardening, and intrusion detection. There is no attack component in our workshop cyberwar exercise. We offered the workshop five times in the and academic years to a total of approximately 80 instructors and system/network administrators working in the security area, and received positive evaluations from the participants. We will be offering the workshops at least once more at the Association for Computing Machinery (ACM) Special Interest Group in Computer Science Education (SIGCSE) conference in March 2007 in Covington, KY. 2. BACKGROUND AND RELATED WORK A number of other universities, especially those with NSA CAEIAE certification, have developed significant computer security and information assurance curricula. We modeled our curriculum on the program found at Indiana University of Pennsylvania, one of the original NSA CAEIAE institutions, but extended it in several ways as part of an NSF Course, Curriculum and Laboratory Improvement (CCLI) Adaptation and Implementation (A&I) grant [CLICS 2005]. Examples of other recent curricular work on computer security and information assurance can be found at [Aycock and Barker 2005; Bishop and Frincke 2005; Mateti 2003]. These three articles represent (though not completely) the wide range of issues in computer security education, ranging from understanding and teaching virus writing techniques (Aycock and Barker) to teaching secure programming (Bishop and Frincke) to developing laboratory-based security instruction (Mateti). Specific discussion of educational cyberwar exercises can be found at [Hoffman et al. 2005; Walden 2005; Wagner and Wudi 2004]. Hoffman et al. discusses four different cyberwar exercises, including the defense-only military academy cyber defense exercise (CDX) and three other cyber war exercises with combined offense and defense components ranging from a small-scale contained internal exercise to a full-semester cybersecurity exercise. Walden has created a Linux-only cybersecurity exercise on a virtual network using User-Mode Linux [UML 2005]. A variety of other cybersecurity exercises have been developed in industry, government, and educational realms, further emphasizing the current need for hands-on cybersecurity education and training.

3 3. WORKSHOP CONTENTS We developed our computer security training workshop primarily as a condensed version of various hands-on laboratory components from our Computer Security course. However, we have added several new features that have not yet been incorporated into our course. These features include carefully guided hands-on exercises, automatic configuration of participating machines through a centralized configuration and management tool, and a more centrally controlled and defense-oriented version of the final cyberwar exercise. The workshop focuses on system security, specifically server security, though the information and principles are certainly useful in the broader arena of information assurance. It concentrates on technological issues, though there is some discussion of social engineering, physical security, and other aspects of security as they relate to the concepts brought up in the workshop. It also focuses on defensive issues, though some discussion of attacking strategies is presented to help the participant understand the mindset of an attacker. It is executed on an isolated network to remove any chance of adverse effects on public systems. Finally, we discuss the ethical implications of working in the computer security area, which we feel is important to pass on to anyone working in this area. Given a limited amount of time (six hours in total), we present information on six computer security areas and finish with the cyberwar exercise, which allows us to organize the material in seven modules. Each module is discussed in more detail below. 3.1 Module 1 Footprinting and Packet Sniffing The first module and exercise are entitled Footprinting and Packet Sniffing. The pedagogical objective is to teach workshop participants how to gather information from computer systems using common system utilities as well as software packet sniffers. The practical objective is to give workshop participants experience with common system utilities such as ping, hostname, who, last, arp, and netstat in the Linux environment, and combined tools such as Sam Spade in the Windows environment. The background required is basic familiarity with Linux and Windows operating systems and some understanding of computer networking, including IP addressing, ports, and multi-layer network protocol stacks such as the Open Systems Interconnect (OSI) model to understand the layers of information captured by packet sniffers. This module contains lecture material on information gathering (footprinting) and packet sniffing. It discusses the process of accumulating information (how small pieces of information can lead to the acquisition of larger pieces of information). The module discusses a variety of elementary system tools available under Linux to show that even a basic system without special tools or configuration can provide a platform for information gathering. We then present material on packet sniffing, and show how packet sniffers can allow someone to gather both basic system information (such as a list of system names and IP addresses) as well as particular content (such as usernames and passwords from an FTP stream).

4 The tools used in this module include basic system tools available under Linux (e.g., hostname, ifconfig, who, last, nslookup/dig, arp, netstat, finger), Sam Spade (a collection of these tools available under Windows), and ethereal (a common packet sniffer available under Linux and Windows). The hands-on exercise involves gathering information about the participant s local systems (again, both Windows and Linux), other participants systems, and four bait systems that appear as servers in the network environment. The exercise also provides the participants with an opportunity to use their information-gathering expertise to probe other systems for active user accounts and associated information that may come in handy in later modules and ethical discussions. 3.2 Module 2 Port Scanning The second module and exercise are entitled Port Scanning. The pedagogical objective is to teach workshop participants how port information is exposed on computer systems and how software port scanners can identify such open ports. The practical objective is to give the participants experience with port scanning tools such as nmap in the Linux environment and SuperScan4 in the Windows environment. The background required includes understanding of the concept of ports and the services running behind them on computer systems. The second module contains lecture material on port scanning. It discusses the process of identifying open ports and services on a system. We examine different port scanning techniques, balancing the interests of information gathering and stealth, and discuss the possibility that attackers can use such stealth techniques to try to hide their information-gathering forays. The tools used in this module include the nmap (and GUI front end nmapfe) tools under Linux, and the SuperScan4 tool under Windows. The hands-on exercise involves identifying open ports and available services on the participant s local systems, other participants systems, and the four bait systems. At this point the participants are able to find and identify an open Windows server, a secure Windows server, an open Linux server, and a secure Linux server out of these four systems. 3.3 Module 3 Password Policy and Cracking The third module and exercise are entitled Password Policy and Cracking. The pedagogical objective is to teach workshop participants what components of password security are significant, how such components should be considered when developing password policy, and the relative ease of cracking passwords that are weak by these considerations. The practical objective is to give the participants experience with password-cracking tools such as John the Ripper in the Linux environment and SAMInside in the Windows environment, as well as experience with the Group Policy Editor in Windows to enforce password policy. The background required includes basic understanding of the concept of authentication using passwords.

5 The third module contains lecture material on password policies and password cracking. It discusses the components of password security (e.g., length, character content and complexity, expiration requirements, and password storage). We examine password-cracking approaches, and discuss the effect of the above components on the time it takes to crack a password of a certain length and complexity. We also discuss account maintenance, emphasizing the need for password control and/or checking by system administrators, and the removal of unused or non-secure accounts. The tools used in this module include the John the Ripper tool under Linux and the SamInside tool under Windows. We also look at the Group Policy settings under Windows to see how password construction can be controlled. The hands-on exercise involves analyzing passwords of different length and character content, and determining how long it takes the above tools to crack them. Based on this, workshop participants are encouraged to consider the elements of an appropriate password policy, and of course, to create more secure passwords replacing any weak ones found on their system. 3.4 Module 4 Vulnerability Assessment The fourth module and exercise are entitled Vulnerability Assessment. The pedagogical objective is to teach workshop participants how identification of the services running behind open ports can be compared to vulnerability databases to establish the existence of such vulnerabilities on a target system. The practical objective is to give the participants experience with vulnerability assessment tools such as nessus in the Linux environment and NeWT ( Nessus Windows Technology ) and Microsoft Baseline Security Analyzer in the Windows environment. No additional background is required beyond that required for module 2 (Port Scanning). The fourth module contains lecture material on vulnerability assessment and analysis. It discusses how tools can build on basic system information gathering and port scanning/service discovery to add a vulnerability database that includes the known vulnerabilities for various versions of software running on a given operating system. Such information can be used by attackers to discover vulnerabilities, but also can be used defensively by security professionals to test the vulnerability of their systems. Further analysis can be done on a variety of other areas, including examining the state of software patches, password security, and application security. The tools used in this module include the nessus tool under Linux and the NeWT tool under Windows. We also look at the Windows Baseline Security Analyzer for a vulnerability assessment tool that goes beyond service analysis. The hands-on exercise involves analyzing vulnerabilities on the participant s Linux and Windows systems to prepare the students for system hardening in the next module.

6 3.5 Module 5 System Hardening The fifth module and exercise are entitled System Hardening. The pedagogical objective is to teach workshop participants how systems can be hardened by removing unnecessary services and identifying and dealing with other configuration problems. The practical objective is to give the participants experience with service editors (on Linux and Windows) as well as other tools (such as bastille on Linux and Microsoft Baseline Security Analyzer on Windows) that can indicate and sometimes change system configuration settings to improve security. The background required includes basic understanding of the Linux and Windows operating systems and how services run in the background to perform necessary system functionality. The fifth module contains lecture material on system hardening. It discusses how vulnerability assessment tools can point toward areas that must be hardened, and how scripting tools can simplify and organize this process. It also discusses how services can be disabled under both Linux and Windows systems. The tools used in this module include the bastille script under Linux, and Microsoft Baseline Security Analyzer tool under Windows (although this is a vulnerability assessment tool, it also contains much information on and pointers toward steps that can be taken for system hardening). Participants also work with the service editors available under both Linux and Windows to learn how to control services running currently and automatically at boot time. The hands-on exercise involves practice with the system service tools as well as with the system hardening scripts. For the remaining exercises, participants are given a scenario in which they are told to treat their job as the newly hired system/security administrator (replacing someone who was just let go) for an internet service provider. They are given set of required services to maintain on their systems, including several unknown services, emphasizing the points that security must be balanced with required functionality and that security personnel often inherit software and situations over which they initially have little control. 3.6 Module 6 Intrusion Detection The sixth module and exercise is entitled Intrusion Detection. The pedagogical objective is to teach workshop participants how intrusion detection may be identified through the analysis of both network traffic and system information such as log or audit files and specialized information databases. The practical objective is to give the participants experience with network intrusion detection tools such as Snort in the Linux environment, and other system intrusion detection tools such as Tripwire, chkrootkit, and swatch in the Linux environment. The background required includes a basic understanding of log files, plus the network analysis/packet sniffing material covered earlier in the workshop. The sixth module contains lecture material on intrusion detection through log analysis, checking for root kits, and other intrusion detection techniques and tools.

7 The tools used in this module include the Tripwire file analysis tool, the swatch log-watching tool, the chkrootkit tool, and the Snort network intrusion detection tool under Linux. The hands-on exercise involves practice with all of these approaches and tools. Tripwire is configured, system files are changed, and the changes are caught by tripwire. Failed root login attempts and the use of the ethereal packet sniffer are noted through swatch. Chkrootkit is run to gain an understanding of the files and issues involved with root kits. Finally, a new Snort rule is added, and Snort is run to detect the desired type of network traffic between two of the local systems based on the created rule. 3.7 Module 7 Cyberwar Exercise The seventh module and exercise is entitled Cyberwar Exercise. The pedagogical objective is to teach workshop participants how to integrate all of the previous material and exercises in hardening their systems against attack by our systems staff. The practical objective is to give the participants experience in integrating all of the tools previously used to accomplish this system hardening and perhaps identify attacks as they occur. The background required includes the understanding gained from the previous six modules. The seventh module contains no additional lecture material. At this point, participants are given a small amount of additional time to do any system hardening that they did not have time for and/or neglected during earlier steps. After this extra hardening period, our workshop systems staff begins a series of controlled exploits against all participant systems based on a variety of attack scenarios. The status of all participant machines is shown on a large display screen at the front of the room, letting all participants see if the attack successfully penetrated their system(s). This also allows some participants to see the attacks developing and possibly defend against them in real time. It also limits the attack aspect of our workshop to our own system staff, thereby keeping the focus of our approach on system defense and response. The attacks take several different approaches. First, the root and administrator passwords are tested on the Linux and Windows systems respectively to determine if the password changing and account removal recommendations were well understood and acted upon. Second, attacks based on various buffer overflow exploits relating to known service vulnerabilities are tested on both Linux and Windows systems, most of which are based on vulnerabilities identified by one or more tools used in the earlier presentations and exercises (e.g., vulnerabilities in the Internet Information Server (IIS) on Windows systems are discussed, and the use of the IIS Lockdown Tool is recommended, but participants who don t run this tool find their systems compromised). Third, a final attack is accomplished on an area and vulnerability not previously discussed. While at first this seems unfair, it reminds the participants that security is a continuous process and that the tools available to attackers are continually evolving and changing; that is, security is a process, not a product [Schneier 2000].

8 3.8 Summary A final summary is presented on the modules, emphasizing the basic computer security principles behind each of the modules. We find that it s important to remind participants that there are many more factors in computer security and information assurance beyond the scope of this workshop, and such areas must be integrated with those areas covered in the workshop. A common criticism of cyberwar exercises is that the very nature of the exercise tends to encourage attack as much as it does defense. We have handled this issue in two key ways, and to be clear about this, we agree that the point of the exercise is defense, not attack. First, at no point in our workshop is anyone encouraged to initiate an attack on another system, even though this is possible. The footprinting and port scanning exercises do not involve anything more than information gathering. All attacks are conducted and controlled by our systems staff without providing the details of how the attacks are mounted other than to identify the vulnerability exploited. Second, to highlight the ethics involved in computer security using the tools we provide, we quietly record all occurrences of unauthorized accesses by the participants to other systems during the course of the workshop. This information is then used later in a discussion about the ethics of acting on the information they have gained from footprinting. Workshop participants usually are chagrined to learn that we caught them, thereby making our point about ethical conduct better than we could have via a simple lecture point. 4. WORKSHOP NETWORK AND SYSTEM CONFIGURATION We have seen a need for the offering of workshops like this at national and regional educational conferences, and potentially at other venues as well. At the same time, we have noticed that it is often very difficult to work with another institution s systems to properly configure their machines, especially with potentially dangerous tools, and to change to an isolated environment. We decided that we needed a different model for our laboratory to succeed, and we have developed a completely portable laptop-based laboratory that can be set up and configured in only one to two hours. To accomplish the exercises in this workshop, we use an isolated network set up with a group of approximately 20 laptop computers connected to a switch. The switch is configured to function as a hub, allowing participants to see all traffic on the network rather than just their individual traffic. Each machine is connected to the switch with a traditional network cable, and no wireless traffic is allowed (to ensure that the network is indeed isolated). Each participant s laptop system is running Windows Server 2003, along with a copy of VMWare. Each system contains both a RedHat 8 Linux image and a Windows 2000 image, both running under VMWare. This allows the participants to rapidly switch back and forth between Windows and Linux, and participants can even be running tools in the background on one image while actively working with the other image. In the event of a catastrophic image failure, the image files can be reloaded on any given laptop within minutes.

9 The workshop management system runs one of several laptop systems used by our systems staff to create and manage the network environment. The four bait systems are all run virtually on one of these systems as well. 5. WORKSHOP TOOLS Our systems staff has developed several tools to support this workshop. While not essential to using the workshop material, we have found that they significantly speed up the workshop laboratory setup and greatly assist the management of the hands-on exercises. First, the staff uses a tool to distribute both the host operating system and the two client images (Linux and Windows) to each laptop. A 20-system network can be client set up with client images distributed to each host machine in approximately 10 minutes. Second, they have developed a tool to allow the execution of a variety of commands on the remote client systems. This can range from the addition of users, to the addition or removal of a given service, to the shutdown or rebooting of a virtual machine. This tool allows the dynamic configuration of the laboratory environment and the addition of both accounts and files specific to the given exercises, all controlled by our system staff. Third, the staff has developed a tool to check the availability status of the required services on each of the participant s Linux and Windows machines. This tool displays each machine name, its operating system, and whether it is active (all services available) or if it has a problem with one or more services. This allows us (and all of the participants) to see if any participant has gone too far in hardening their machines during the later modules, and we then encourage them to restore the required services to serve their clients as we requested. This same tool is used to display the status of the automated attacks by highlighting that an exploit against a given vulnerability (e.g., unchanged password, IIS, unneeded Session Message Block (SMB) service) has occurred. The above tools are currently developed as prototypes, with fairly limited user interfaces at this point. Our hope is to further develop these tools to the point that they can be used by the workshop instructors directly, rather than by the systems staff themselves, thus allowing the workshop to be run by fewer people. 6. EVALUATION We offered this workshop three times over the academic year. First, we gave a test run of this workshop on desktop machines at our host institution, offering it to approximately 15 university systems and application development staff. Second, we offered the workshop in its current form to faculty from several departments (Computer Science, MIS) as well as other systems and application development staff at our university and a neighboring institution, for a total of approximately 15 more participants. These first two offerings were viewed primarily as dry runs for our third offering, but at the same time allowed us to reach a wider audience, including system and network professionals from university computing environments. Third, we offered the workshop to 26 university instructors at the ACM SIGCSE conference in St. Louis in February We offered this workshop two

10 more times during the academic year, starting with another practice run at the Chippewa Valley Technical College in Eau Claire, Wisconsin, and finishing with another national offering to 30 university instructors at the SIGCSE conference in Houston in March We developed a workshop evaluation document and used this for the second, third and fifth offerings of the workshop. The results have been positive. Table I below shows the average evaluation scores obtained from the SIGCSE 2005 and SIGCSE 2006 workshops (with 54 instructor participants filling out the evaluation forms) using a Likert Scale from 1 (Strongly Disagree) to 5 (Strongly Agree). Table I Evaluation Questions and Average Ratings Average Evaluation Question Rating This workshop helped me to gain experience with computer security tools and techniques with which I 4.7 was not previously familiar. This workshop focused on tools and techniques that, in my opinion, are important in computer 4.8 security education. The workshop focused on tools and techniques that are of interest to me. 4.7 The presentation (PPT slides, handouts, and workshop discussion) of the material related to the tools 4.6 and techniques was sufficiently complete for my interest level. The exercises related to the tools and techniques were valuable and informative. 4.7 I could use the workshop presentation materials (PPT slides and handouts), as is, within my own 3.9 computing program. I could use the workshop exercises, as is, within my own computing program. 3.9 The workshop time devoted to hands-on use of the tools was valuable. 4.7 This workshop was of value to me. 4.7 I would recommend this workshop to others. 4.7 Having a copy of the pre-packaged workshop software suite for use in my computing program would 4.6 be of value to me. We have also done some preliminary outcomes assessment to determine if the knowledge and materials from the workshop are useful to the instructors participating in our workshops. We attempted to contact each of the instructor participants of our SIGCSE 2005 workshop approximately 10 months after the workshop and gathered the following information: Respondents (out of 26 original workshop participants): 11 Have developed computer security courses since the workshop 4 Have developed computer security course modules within other courses since the workshop 2 Have used knowledge from workshop in developing courses 3 Have used materials from workshop in developing courses 2 Have used knowledge from workshop in developing modules 1 Have used materials from workshop in developing modules 1 Have not used materials or knowledge working in education/security area 2 Have not used materials or knowledge not working in education/security area 2 Summarizing the above chart in a positive way, at least six out of 11 respondents are using either the knowledge gained from the workshop material and exercises in development of cybersecurity curriculum (either courses or course modules), and two of the remaining four respondents are no longer working in computer security education.

11 We view this as a positive outcome in the sense that over half of the respondents who are currently involved in computer security education are using the workshop knowledge and materials in this process. The less positive results that stand out are two: first, a significant number of workshop participants have not responded, thus calling the above rate of success into question, and second, the materials appear to be less useful than the general knowledge. In response to the first less-positive result, we will attempt additional follow-up to expand on our assessment, and to the second, we will make it a higher priority as a goal of our work to find ways to make our materials more generally useful. Also, we plan to do more-detailed outcomes assessment to find out more about 1) the usage of our information and materials by instructors in the development of their own courseware and laboratory exercises, 2) how successful the work of our instructor participants has been as they return to their host institutions, and 3) the issues with this knowledge and materials transfer. 7. AVAILABLE RESOURCES We have made most of the resources discussed in this paper available through our web site at The following items are available: PowerPoint slides for the lecture components of each module, as well as introductory and summary slides PDF files containing the workshop exercises for the first six modules Several other background documents on basic security principles, basic network information, a primer on using VMWare, and some basic Linux documents for those unfamiliar with that operating system (we suggest that participants read these documents before the workshop if they need basic background information in any of these areas) A list of the tools used in the workshop and their web sources A list of computer security books for those wishing to examine the workshop areas and computer security / information assessment in more detail. The above materials are freely available to all interested parties, and we encourage their ethical usage and adaptation in other computer security and information assurance curriculum. 8. FUTURE WORK As noted above, only prototype versions of the workshop network configuration and management tools have been developed, and we do not consider these tools to be generally usable by others at this point. We are investigating the possibility of further development of these tools for general usage, and at that point would make them available to all interested parties.

12 We also plan to do additional outcomes assessment to evaluate the quality of each exercise. As noted above, our current outcomes assessment has been limited to overall evaluation of the knowledge gained and material provided from the workshop, and we now plan to focus on the specific usage and quality of the material in each exercise. 9. CONCLUSION We have developed a two-part, six-hour computer security workshop that is primarily designed to instruct those wanting to start a course or laboratory exercise sequence in a variety of areas related to computer security. This workshop has also been used to provide computer security education to IT professionals and students, and has been effective in communicating basic computer security principles as well as an understanding of some of the significant tools and techniques in this area. Evaluation of the workshop has been positive, and we will be offering the workshop both locally, regionally, and nationally in the next year as well. The materials from this workshop are freely available at our project web site: ACKNOWLEDGMENTS Many thanks to Jason Wudi, Tom Paine, and Daren Bauer, our campus system and networking staff members who have worked with us on this project, developed the tools used in our workshop, and set up the network and systems for the workshop. We could not have developed and presented this workshop without their help and their comments, insights, and work have been invaluable. REFERENCES AYCOCK, J. AND BARKER, K Viruses 101. In Proceedings of the 36 th Technical Symposium on Computer Science Education (SIGCSE 2005), St. Louis, MO, February 2005, ACM Press, New York. BISHOP, M., AND FRINCKE, D.A Teaching secure programming. IEEE Security & Privacy, 3, 5, CLICS CLICS: A Computational Laboratory for Information and Computer Security project. HOFFMAN, L.J., ROSENBERG, T., DODGE, R., and RAGSDALE, D Exploring a national cybersecurity exercise for universities. IEEE Security and Privacy, 3, 5, MARTIN, A Increased demand for computer security courses. Atlanta Business Chronicle, August 16, MATETI, P A laboratory-based course on internet security. In Proceedings of the 34 th Technical Symposium on Computer Science Education (SIGCSE 2003), Reno, NV, February 2003, ACM Press, New York. NSA National Security Agency, Center of Academic Excellence in Information Assurance Education certification program. NSF National Science Foundation, Federal Cyber Service: Scholarships for Service program. SCHNEIER, B The process of security. Information Security, April UML User-mode Linux. VMWARE VMware virtual computer/server software. VMware Inc., Palo Alto, CA.

13 WAGNER, P., and WUDI, J Designing and implementing a cyberwar laboratory exercise for a computer security course. In Proceedings of the 35 th Technical Symposium on Computer Science Education (SIGCSE 2004), Norfolk, VA, March 2004, ACM Press, New York. WALDEN, J A real-time information warfare exercise on a virtual network. In Proceedings of the 36 th Technical Symposium on Computer Science Education (SIGCSE 2005), ACM Press, New York. This research was supported by the National Science Foundation, Grant DUE Authors addresses: Paul J. Wagner (wagnerpj@uwec.edu) and Andrew T. Phillips (phillipa@uwec.edu), Department of Computer Science, University of Wisconsin Eau Claire; Eau Claire, WI Permission to make digital/hard copy of part of this work for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of the publication, and its date of appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee ACM XXXXXXXXXXXXXXX $5.00